AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2025-11-13 · Documentation low

File: prescriptive-guidance/latest/addf-security-and-operations/built-in-security-features.md

Summary

Removed reference to ModuleStack example and updated SeedFarmer documentation links related to permissions boundaries

Security assessment

Changes involve documentation cleanup and link updates without introducing or modifying security content. Removal of an example IAM policy reference does not indicate a security issue resolution.

Diff

diff --git a/prescriptive-guidance/latest/addf-security-and-operations/built-in-security-features.md b/prescriptive-guidance/latest/addf-security-and-operations/built-in-security-features.md
index f97e2128f..590300066 100644
--- a//prescriptive-guidance/latest/addf-security-and-operations/built-in-security-features.md
+++ b//prescriptive-guidance/latest/addf-security-and-operations/built-in-security-features.md
@@ -88 +88 @@ Each module contains a deployment specifications file that is called **deployspe
-However, if you need to run any stage commands outside of AWS CDK, you need to create a custom IAM policy instead of using the default service role for CodeBuild. For example, if you are using an IaC deployment framework other than AWS CDK, such as Terraform, you need to create an IAM policy that grants sufficient permissions for that specific framework to function. Another scenario that requires a dedicated IAM policy is when you include direct AWS Command Line Interface (AWS CLI) calls to other AWS services in the `install`, `pre_build`, `build`, or `post_build` stage commands. For example, you need a custom policy if your module includes an Amazon Simple Storage Service (Amazon S3) command to upload files to an S3 bucket. The custom IAM policy provides fine-grained control for any AWS command outside of the AWS CDK deployment. For an example custom IAM policy, see [ModuleStack](https://seed-farmer.readthedocs.io/en/latest/module_development.html#modulestack) (SeedFarmer documentation). When creating a custom IAM policy for your ADDF module, make sure that you apply least-privilege permissions.
+However, if you need to run any stage commands outside of AWS CDK, you need to create a custom IAM policy instead of using the default service role for CodeBuild. For example, if you are using an IaC deployment framework other than AWS CDK, such as Terraform, you need to create an IAM policy that grants sufficient permissions for that specific framework to function. Another scenario that requires a dedicated IAM policy is when you include direct AWS Command Line Interface (AWS CLI) calls to other AWS services in the `install`, `pre_build`, `build`, or `post_build` stage commands. For example, you need a custom policy if your module includes an Amazon Simple Storage Service (Amazon S3) command to upload files to an S3 bucket. The custom IAM policy provides fine-grained control for any AWS command outside of the AWS CDK deployment. When creating a custom IAM policy for your ADDF module, make sure that you apply least-privilege permissions.
@@ -106 +106 @@ Secrets Manager secrets are stored only in the target accounts, as needed for th
-IAM _permissions boundaries_ are a common security mechanism that defines the maximum permissions that an identity-based policy can grant to an IAM entity. SeedFarmer and CodeSeeder support an IAM permissions boundary attachment for each target account. The permissions boundary limits the maximum permissions of any service role used by CodeBuild when CodeSeeder deploys modules. IAM permissions boundaries must be created outside of ADDF by a security team. IAM permissions boundary policy attachments are accepted as an attribute within the ADDF deployment manifest file, **deployment.yaml**. For more information, see [Permissions boundary support](https://seed-farmer.readthedocs.io/en/latest/project_development.html?highlight=boundary#permissions-boundary-support) (SeedFarmer documentation).
+IAM _permissions boundaries_ are a common security mechanism that defines the maximum permissions that an identity-based policy can grant to an IAM entity. SeedFarmer and CodeSeeder support an IAM permissions boundary attachment for each target account. The permissions boundary limits the maximum permissions of any service role used by CodeBuild when CodeSeeder deploys modules. IAM permissions boundaries must be created outside of ADDF by a security team. IAM permissions boundary policy attachments are accepted as an attribute within the ADDF deployment manifest file, **deployment.yaml**. For more information, see [Permissions boundaries](https://seed-farmer.readthedocs.io/en/latest/concepts/multi-account/#permissions-boundaries) (SeedFarmer documentation).
@@ -114 +114 @@ The workflow is as follows:
-  3. The ADDF developer team integrates the policy ARN list into the manifest file. For an example of this integration, see [sample-permissionboundary.yaml](https://github.com/awslabs/autonomous-driving-data-framework/blob/d98e02f1a89d0029b35a56b93dd56c18c5cb2aa1/resources/sample-permissionboundary.yaml) (GitHub) and [Deployment manifest](https://seed-farmer.readthedocs.io/en/latest/manifests.html#deployment-manifest) (SeedFarmer documentation).
+  3. The ADDF developer team integrates the policy ARN list into the manifest file. For an example of this integration, see [sample-permissionboundary.yaml](https://github.com/awslabs/autonomous-driving-data-framework/blob/d98e02f1a89d0029b35a56b93dd56c18c5cb2aa1/resources/sample-permissionboundary.yaml) (GitHub).